-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgen_keys.sh
executable file
·89 lines (74 loc) · 2.11 KB
/
gen_keys.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
# Creates local CA key/cert pair and configures cert-manager
# Issuer or ClusterIssuer (in case the namespace=cert-manager)
# Usage: $0 [namespace]
# Namespace defaults to "gooddata"
NAMESPACE=${1-gooddata}
COMMON_NAME="K3D Local CA"
CM_NAMESPACE="cert-manager"
CLUSTERWIDE=""
if [ "${NAMESPACE}" == "${CM_NAMESPACE}" ] ; then
echo "Given namespace is ${NAMESPACE}, creating ClusterIssuer"
CLUSTERWIDE="Cluster"
fi
if [ ! -f ca.key ] ; then
# Generate a CA private key
openssl genrsa -out ca.key 2048
else
echo "Reusing existing private key ca.key"
fi
if [ ! -f ca.crt ] ; then
# Create a self signed Certificate, valid for 10yrs with the 'signing' option set
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" \
-days 7300 -reqexts v3_req -extensions v3_ca -out ca.crt
else
echo "Reusing existing CA certificate ca.crt"
fi
case "$(uname -s)" in
Darwin*)
b64_opts="-b0"
;;
*)
b64_opts="-w0"
;;
esac
cert=$(base64 $b64_opts ca.crt)
key=$(base64 $b64_opts ca.key)
# Create Secret
cat > ca-secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: ca-key-pair
namespace: ${NAMESPACE}
data:
tls.crt: $cert
tls.key: $key
EOF
# Create Issuer
cat > ca-issuer.yaml << EOF
apiVersion: cert-manager.io/v1
kind: ${CLUSTERWIDE}Issuer
metadata:
name: ca-issuer
namespace: ${NAMESPACE}
spec:
ca:
secretName: ca-key-pair
EOF
echo "Uploading resources to kuberenetes"
kubectl create -f ca-secret.yaml
kubectl create -f ca-issuer.yaml
rm ca-issuer.yaml ca-secret.yaml
cat << EOF
If you wan't to suppress 'Untrusted certificate' errors in web browser,
install the following CA certificate to your system and browser:
`cat ca.crt`
### On Linux with Chrome/Chromium browser, you can use this
### to set trust (needs libnss3-tools)
## sudo apt-get install libnss3-tools
### Create NSS db if it doesn't exist
## [ ! -d $HOME/.pki/nssdb ] && certutil -N -d sql:$HOME/.pki/nssdb --empty-password
## Load local CA Certificate as trusted to your system
## certutil -d sql:$HOME/.pki/nssdb -A -t C -n "$COMMON_NAME" -i $PWD/ca.crt
EOF